Join Log in
Score:0
Marco Benetti avatar Server

Enable TLSv1.1 on httpd 2.4.56 running on Docker

tv flag
Marco Benetti

I am trying to modernize the infrastructure of a HTTP web service. I want to update the web server to something more recent and secure, but I have to maintain compatibility with some legacy devices in the field that are unable to connect using TLSv1.2.

The web server I am using is httpd version 2.4.56 running on a Docker container with Alpine Linux (for reference the image is httpd:2.4.56-alpine3.17).

I tried enabling TLSv1.1 ciphers changing the default httpd-ssl.conf file with this lines:

SSLCipherSuite ALL:@SECLEVEL=1
SSLProxyCipherSuite ALL:@SECLEVEL=1

The SSLProtocol and SSLProxyProtocol directives are both set to all -SSLv3.

After that I changed /etc/ssl/openssl.cnf by adding at the top

openssl_conf = default_conf

and

[default_conf]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
MinProtocol = TLSv1.1
CipherString = DEFAULT@SECLEVEL=1

[openssl_init]
providers = provider_sect

after the [ new_oids ] section.

To test the result I used the command nmap -script ssl-enum-ciphers -p 9443 localhost and obtained the following result:

PORT     STATE SERVICE
9443/tcp open  tungsten-https
| ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|       TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CCM_8 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CCM (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_128_CCM_8 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_128_CCM (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 (ecdh_x25519) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (ecdh_x25519) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CCM_8 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CCM (rsa 2048) - A
|       TLS_RSA_WITH_ARIA_256_GCM_SHA384 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CCM_8 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CCM (rsa 2048) - A
|       TLS_RSA_WITH_ARIA_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: server
|   TLSv1.3: 
|     ciphers: 
|       TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|       TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|     cipher preference: server
|_  least strength: A

Nmap done: 1 IP address (1 host up) scanned in 0.41 seconds

so, clearly I am missing something, as I expected some TLSv1.1 ciphers to show up.

I also tried inserting some syntax errors to see if the openssl.cnf file is read correctly and it seems that the configuration is ignored even if i can find it browsing the container filesystem.

473
1 + 7
ssl
ezra-s avatar
ru flag
ezra-s
It feels quite odd to ask about setting something in httpd and not show one bit of httpd configuration. Could you please update your question and show the appropiate bits? At the very least you should have a directive such as `SSLProtocol all -TLSv1`.
0
Reply
Marco Benetti avatar
tv flag
Marco Benetti
I tried to attach httpd-ssl.conf and openssl.cnf but the question was getting flagged as spam. I previously asked the [same question on Stack Overflow](https://stackoverflow.com/questions/75743303/enable-tlsv1-1-on-httpd-2-4-56-running-on-docker), there I managed to include the full configuration. The only changes I made from the default configuration are the ones listed on the first part of the question. I am aware of the `SSLProtocol all -TLSv1` directive and now I included it in my configuration in place of `all -SSLv3`
0
Reply
ezra-s avatar
ru flag
ezra-s
I tried your SSLCIpherSuite and my openssl gave me an error, try a more sane list, for example one similar to the one in mozilla ssl generator including inferior ciphers: `SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA`
0
Reply
Marco Benetti avatar
tv flag
Marco Benetti
Thanks for the help, I tried your configuration and the output of the `nmap` command now has a more compact list of ciphers, but it still has only TLSv1.2 and TLSv1.3. Can this be a problem of the OpenSSL version? In the logs I see `[Thu Mar 30 08:08:03.000603 2023] [ssl:info] [pid 1:tid 139702950845256] AH01876: mod_ssl/2.4.56 compiled against Server: Apache/2.4.56, Library: OpenSSL/3.0.8`, maybe 3.0.8 does not support older ciphers, but I can't find any information online regarding this
0
Reply
Marco Benetti avatar
tv flag
Marco Benetti
For reference this is the ciphers list I get as output, maybe it can be helpful `TLSv1.2: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A TLSv1.3: TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A`
0
Reply
ezra-s avatar
ru flag
ezra-s
That's probably it, I haven´t used OpenSSL 3.x so I can't tell, but you can check it by yourself with this command: `openssl ciphers -v 'ALL' `
0
Reply
Marco Benetti avatar
tv flag
Marco Benetti
The Alpine Linux container I was using did not have the openssl command, after I switched to the `2.4.56-bullseye` image and after porting the modifications I did to the Alpine version, the container started accepting TLSv1.1 ciphers. I guess the openssl 3.0.8 configuration has something different form the 1.1.1 that the Bullseye container uses, because on a Ubuntu 22.04 with openssl 3.0.2 I see a bunch of TLSv1 ciphers. @DanielFerradal thanks for the help, I'll keep the question open if someone that knows how to enable TLSv1.1 on the specific Alpine Linux version stumbles upon it.
0
Reply
Score:0
Marco Benetti avatar Server
tv flag
Marco Benetti

I finally got it working following the suggestions posted here.

To sum it up it works by changing CipherString = DEFAULT@SECLEVEL=1 to CipherString = DEFAULT@SECLEVEL=0 in the openssl.cnf file when using openssl version 3.

I suggest to expose only what is necessary for the given use case, as an example I exposed only TLSv1.1 using the MinProtocol directive on openssl.cnf.

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.